TECH TALK: The Equifax Hack – What you need to know

ERIC’S TECH TALK

by Eric Austin
Computer Technical Advisor

Do you have a coin? Flip it. Tails, you are about to be the victim of identity theft. Heads, you’re safe — maybe. That’s the situation created by the recent Equifax data breach.

The hack exposed the personal information of 143 million Americans. That’s half of everyone in America. Names and addresses, Social Security numbers, birth dates, and even driver’s license numbers were stolen, as well as 209,000 credit card numbers.

“This is about as bad as it gets,” Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group, told the New York Times. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

As a precaution, the widespread advice from financial advisers is to request a freeze of your credit from each of the three big credit reporting agencies: TransUnion, Experian and Equifax. Each freeze request will cost you $10 – although, after some seriously negative press, Equifax has decided to wave their fee until November 21.

The details of the hack and Equifax’s handling of it are also concerning. According to the Times, Equifax detected the breach in July, but didn’t warn consumers until September. It’s estimated hackers had access to Equifax data from mid-May until July 29, before the hack was finally discovered.

The New York Post first revealed the cause of the breach: a vulnerability in the software package Apache Struts, an open-source, web development framework used by many big financial institutions. The developer of the software discovered the vulnerability back in March, and issued a fix for the problem, but Equifax neglected to update their systems.

After the public announcement in September, Equifax set up a website, Equifaxsecurity2017.com, where consumers can check to see if they are among those affected. According to the company, at the site you can “determine if your information was potentially impacted by this incident.”

You can also sign up for a free year of identity protection through their service, TrustedID. Initially, Equifax received some backlash when it was discovered that consumers signing up for the program were forced to agree to a “terms of service” that waived their rights to sue for damages. The language has since been altered, and Equifax recently released a statement insisting that using the service will not require individuals to give up any of their rights to participate in a class-action lawsuit.

Other troubling reports have come to light as well. The day after Equifax discovered the data breach – but over a month before it was disclosed to the public – three Equifax executives, including the company’s chief financial officer, unloaded nearly two million in corporate stock. The company’s stock value has fallen more than 35 percent in the days since, and Congress is calling for an investigation into possible insider trading.

Equifax’s recent activities in Washington have only added to the bad press. In the months leading up to the hack, Equifax was busy lobbying Washington to relax the regulations and safeguards on the credit reporting industry. According to The Philadelphia Inquirer, the company spent more than $500,000 seeking to influence lawmakers on issues such as “data security and breach notification” and “cybersecurity threat information sharing” in the first six months of 2017.

This includes an effort to repeal federal regulations upholding a consumer’s right to sue credit reporting companies. In July, as reported by the Consumerist, an arm of Consumer Reports, Congress passed the Congressional Review Act in a slim, party-line vote. If upheld by the Senate and signed by the President, the resolution would overturn certain rules created by the Consumer Financial Protection Bureau to regulate the financial industry. This agency was set up as a safeguard for consumers after the financial crash of 2007-08. Among the rules under danger of repeal are measures meant to protect consumers by “curbing the use of ‘forced arbitration’ in many consumers’ financial contracts.”

And Equifax is likely to profit from this act of negligence, as it fuels existing paranoia about online privacy and will inspire millions to spend money on the pseudo-security of identity protection services, including Equifax’s own TrustedID.

The fallout from this hack is still being assessed, and likely won’t be fully known for years, if ever. This is the Deepwater Horizon of data breaches, and it should serve as a similar wake-up call for consumers.

We need a higher standard of accountability in the financial industry. These institutions no longer simply protect our money. Now they guard our very identities. Their servers should be as secure as their bank vaults. Money is replaceable, but most of us have only the one identity.